• Jeroen Bollen (11/11) Feb 09 2014 I'm building a webserver using the Vibe.d library. Whenever the
• Jeroen Bollen (4/15) Feb 09 2014 I just figured out vibe.d handles this automatically, but I'd
• Jonathan M Davis (9/28) Feb 09 2014 std.path.absolutePath will take care of any ..'s at the beginning (which...
• Jesse Phillips (4/15) Feb 09 2014 You can remove the directory navigation with
• Jeroen Bollen (3/22) Feb 10 2014 Would that be relative to the working directory? Would "./../"

"Jeroen Bollen" <jbinero gmail.com> writes:

I'm building a webserver using the Vibe.d library. Whenever the 
user requests a page inside my /images/ folder; I want them to 
output this file.

Because there will be a lot of images present, and because these 
are likely to change in the future, I would like to just get the 
URL from the request, and automatically output the file.

I am aware though, that users could perform tricks like 
"images/../../../../sensitive_file_here". In order to prevent 
that I would like a solid way of making sure the entered path is 
actually inside the images directory.

How do I do this?

"Jeroen Bollen" <jbinero gmail.com> writes:

On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
 I'm building a webserver using the Vibe.d library. Whenever the 
 user requests a page inside my /images/ folder; I want them to 
 output this file.

 Because there will be a lot of images present, and because 
 these are likely to change in the future, I would like to just 
 get the URL from the request, and automatically output the file.

 I am aware though, that users could perform tricks like 
 "images/../../../../sensitive_file_here". In order to prevent 
 that I would like a solid way of making sure the entered path 
 is actually inside the images directory.

 How do I do this?

I just figured out vibe.d handles this automatically, but I'd 
still like to know of a secure way to do this, for future 
reference.

Jonathan M Davis <jmdavisProg gmx.com> writes:

On Sunday, February 09, 2014 21:09:51 Jeroen Bollen wrote:
 On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
 I'm building a webserver using the Vibe.d library. Whenever the
 user requests a page inside my /images/ folder; I want them to
 output this file.
 
 Because there will be a lot of images present, and because
 these are likely to change in the future, I would like to just
 get the URL from the request, and automatically output the file.
 
 I am aware though, that users could perform tricks like
 "images/../../../../sensitive_file_here". In order to prevent
 that I would like a solid way of making sure the entered path
 is actually inside the images directory.
 
 How do I do this?

 
 I just figured out vibe.d handles this automatically, but I'd
 still like to know of a secure way to do this, for future
 reference.

std.path.absolutePath will take care of any ..'s at the beginning (which 
doesn't quite seem to be your problem here, but it might be useful depending 
on what you're doing). However, what you probably want here is 
std.path.buildNormalizedPath. Like buildPath, it can be used to construct a 
path from multiple strings, but if you give it only one string, it'll still 
work and will normalize it (it just won't have anything else to append to it 
like it would if you were really building a path).

- Jonathan M Davis

"Jesse Phillips" <Jesse.K.Phillips+D gmail.com> writes:

On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
 I'm building a webserver using the Vibe.d library. Whenever the 
 user requests a page inside my /images/ folder; I want them to 
 output this file.

 Because there will be a lot of images present, and because 
 these are likely to change in the future, I would like to just 
 get the URL from the request, and automatically output the file.

 I am aware though, that users could perform tricks like 
 "images/../../../../sensitive_file_here". In order to prevent 
 that I would like a solid way of making sure the entered path 
 is actually inside the images directory.

 How do I do this?

You can remove the directory navigation with 
std.path.buildNormalizedPath, not sure the behavior on a relative 
path, but you could call std.path.absolutePath first.

"Jeroen Bollen" <jbinero gmail.com> writes:

On Monday, 10 February 2014 at 00:44:23 UTC, Jesse Phillips wrote:
 On Sunday, 9 February 2014 at 21:02:59 UTC, Jeroen Bollen wrote:
 I'm building a webserver using the Vibe.d library. Whenever 
 the user requests a page inside my /images/ folder; I want 
 them to output this file.

 Because there will be a lot of images present, and because 
 these are likely to change in the future, I would like to just 
 get the URL from the request, and automatically output the 
 file.

 I am aware though, that users could perform tricks like 
 "images/../../../../sensitive_file_here". In order to prevent 
 that I would like a solid way of making sure the entered path 
 is actually inside the images directory.

 How do I do this?

 You can remove the directory navigation with 
 std.path.buildNormalizedPath, not sure the behavior on a 
 relative path, but you could call std.path.absolutePath first.

Would that be relative to the working directory? Would "./../" 
still work?